Abstract: The challenges of pervasive and mobile computing environments, which are highly dynamic and unpredictable, have motivated the development of self-adaptive software systems. Although noteworthy successes have been achieved on many fronts, the construction of such systems remains significantly more challenging than traditional systems. We argue this is partially because researchers and practitioners have been struggling with the lack of a precise vocabulary for describing and reasoning about the key architectural characteristics of self-adaptive systems. Further exacerbating the situation is the fact that existing frameworks and guidelines do not provide an encompassing perspective of the different types of concerns in this setting. In this article, we present a comprehensive reference model, entitled FOrmal Reference Model for Self-adaptation (FORMS), that targets both issues. FORMS provides rigor in the manner such systems can be described and reasoned about. It consists of a small number of formally specified modeling elements that correspond to the key concerns in the design of self-adaptive software systems, and a set of relationships that guide their composition. We demonstrate FORMS's ability to precisely describe and reason about the architectural characteristics of distributed self-adaptive software systems through its application to several existing systems. FORMS's expressive power gives it a potential for documenting reusable architectural solutions (e.g., architectural patterns) to commonly encountered problems in this area.

Abstract: One major challenge in self-adaptive systems is to assure the required quality properties. Formal methods provide the means to rigorously specify and reason about the behaviors of self-adaptive systems, both at design time and runtime. To the best of our knowledge, no systematic study has been performed on the use of formal methods in self-adaptive systems. As a result, there is no clear view on what methods have been used to verify self-adaptive systems, and what support these methods offer to software developers. As such insight is important for researchers and engineers, we performed a systematic literature review covering 12 main software engineering venues and 4 journals, resulting in 75 papers used for data collection. The study shows that the attention for self-adaptive software systems is gradually increasing, but the number of studies that employ formal methods remains low. The main focus of formalization is on modeling and reasoning. Model checking and theorem proving have gained limited attention. The main concerns of interest in formalization of self-adaptation are efficiency/performance and reliability. Important adaptation concerns, such as security and scalability, are hardly considered. To verify the concerns of interest, a set of new properties are defined, such as interference freedom, responsiveness, mismatch, and loss-tolerance. A relevant part of the studies use formal methods at runtime, but the use is limited to modeling and analysis. Formal methods can be applied to other runtime activities of self-adaptation, and there is a need for light-weight tools to support runtime verification.

Abstract: Behavioral interface specification languages provide formal code-level annotations, such as preconditions, postconditions, invariants, and assertions that allow programmers to express the intended behavior of program modules. Such specifications are useful for precisely documenting program behavior, for guiding implementation, and for facilitating agreement between teams of programmers in modular development of software. When used in conjunction with automated analysis and program verification tools, such specifications can support detection of common code vulnerabilities, capture of light-weight application-specific semantic properties, generation of test cases and test oracles, and full formal program verification. This article surveys behavioral interface specification languages with a focus toward automatic program verification and with a view towards aiding the Verified Software Initiative—a fifteen-year, cooperative, international project directed at the scientific challenges of large-scale software verification.

Abstract: This book provides foundations for software specification and formal software development from the perspective of work on algebraic specification, concentrating on developing basic concepts and studying their fundamental properties These foundations are built on a solid mathematical basis, using elements of universal algebra, category theory and logic, and this mathematical toolbox provides a convenient language for precisely formulating the concepts involved in software specification and development Once formally defined, these notions become subject to mathematical investigation, and this interplay between mathematics and software engineering yields results that are mathematically interesting, conceptually revealing, and practically useful The theory presented by the authors has its origins in work on algebraic specifications that started in the early 1970s, and their treatment is comprehensive This book contains five kinds of material: the requisite mathematical foundations; traditional algebraic specifications; elements of the theory of institutions; formal specification and development; and proof methods While the book is self-contained, mathematical maturity and familiarity with the problems of software engineering is required; and in the examples that directly relate to programming, the authors assume acquaintance with the concepts of functional programming The book will be of value to researchers and advanced graduate students in the areas of programming and theoretical computer science

Abstract: An overview on OntoCAPE, a large-scale ontology for chemical process engineering, is given, and the development and some applications of OntoCAPE are reported. The methodology adopted for developing OntoCAPE is described to show how the ontology has evolved from its skeletal, informal specification to a complete, formal specification. Furthermore, the organization of the ontology is addressed through presenting its modular, layered structure. It is shown that this design enables a proper balance between usability and reusability of this ontology and that it provides a principled guidance for a better understanding and an easier further development. Some exemplary applications of OntoCAPE in the area of computer-aided process engineering are sketched to demonstrate the ontology's range of use. It is shown which advantageous features of OntoCAPE facilitate the handling of the changes of such a complex engineering ontology over a long period of evolution. A comprehensive environment providing adequate computer support for the evolution of complex ontologies is envisioned.

Abstract: Global types are formal specifications that describe communication protocols in terms of their global interactions. We present a new, streamlined language of global types equipped with a trace-based semantics and whose features and restrictions are semantically justified. The multi-party sessions obtained projecting our global types enjoy a liveness property in addition to the traditional progress and are shown to be sound and complete with respect to the set of traces of the originating global type. Our notion of completeness is less demanding than the classical ones, allowing a multi-party session to leave out redundant traces from an underspecified global type. In addition to the technical content, we discuss some limitations of our language of global types and provide an extensive comparison with related specification languages adopted in different communities.

Abstract: This paper presents a requirement-oriented automated framework for formal verification of service workflows. It is based on our previous work describing the requirement-oriented service workflow specification language called SWSpec. This language has been developed to facilitate workflow composer as well as arbitrary services willing to participate in a workflow to formally and uniformly impose their own requirements. As such, SWSpec provides a formal way to regulate and control workflows. The key component of the to-be-proposed framework centers on verification algorithms that rely on propositional logic. We demonstrate that logic-based workflow verification can be applied to SWSpec which is capable of checking compliance and also detecting conflicts of the imposed requirements. By automating compliance checking process, this framework will support scalable services interoperation in the form of workflows in opened environments.

Abstract: Advanced technologies have changed the nature of business processes in the form of services. In coordinating services to achieve a particular objective, service workflow is used to control service composition, execution sequences as well as path selection. Since existing mechanisms are insufficient for addressing the diversity and dynamicity of the requirements in a large-scale distributed environment, developing formal requirements specification is necessary. In this paper, we propose a Service Workflow Specification language, called SWSpec, which allows arbitrary services in a workflow to formally and uniformly impose their requirements. As such, the solution will provide a formal way to regulate and control workflows as well as enrich the proliferation of service provisions and consumptions in opened environments.

Abstract: Systems are increasingly being constructed from off-the-shelf components acquired through a globally distributed, untrusted supply chain. The lack of trust in these components necessitates additional validation of the components before use. Additionally, hardware trojans are becoming a pressing concern. In this paper, we present a novel formalism and method to systematically derive the highlevel function of an unknown circuit component given its gate-level netlist. We define the highlevel description of a circuit as an interconnection of instantiations of abstract library components characterized using logical specifications. The proposed approach is based on mining interesting behavioral patterns from the simulation traces of a gate-level netlist, and representing them as a pattern graph. A similar pattern graph is also generated for library components. Our method first computes input-output signal correspondences via subgraph isomorphism on the pattern graphs. The general function of the unknown circuit is then determined by finding the closest match in the component library, by model checking the unknown circuit against each logical specification. We demonstrate the effectiveness of our approach on publicly-available circuits.

Abstract: Reuse and composition are increasingly advocated and put into practice in modern software engineering. However, the software entities that are to be reused to build an application, e.g., services, have seldom been developed to integrate and to cope with the application requirements. As a consequence, they present mismatch, which directly hampers their reusability and the possibility of composing them. Software Adaptation has become a hot topic as a nonintrusive solution to work mismatch out using corrective pieces named adaptors. However, adaptation is a complex issue, especially when behavioral interfaces, or conversations, are taken into account. In this paper, we present state-of-the-art techniques to generate adaptors given the description of reused entities' conversations and an abstract specification of the way mismatch can be solved. We use a process algebra to encode the adaptation problem, and propose on-the-fly exploration and reduction techniques to compute adaptor protocols. Our approach follows the model-driven engineering paradigm, applied to service-oriented computing as a representative field of composition-based software engineering. We take service description languages as inputs of the adaptation process and we implement adaptors as centralized service compositions, i.e., orchestrations. Our approach is completely tool supported.

Abstract: Concurrent, object-oriented programs often use thread-safe library classes. Existing techniques for testing a thread-safe class either rely on tests using the class, on formal specifications, or on both. Unfortunately, these techniques often are not fully automatic as they involve the user in analyzing the output. This paper presents an automatic testing technique that reveals concurrency bugs in supposedly thread-safe classes. The analysis requires as input only the class under test and reports only true positives. The key idea is to generate tests in which multiple threads call methods on a shared instance of the tested class. If a concurrent test exhibits an exception or a deadlock that cannot be triggered in any linearized execution of the test, the analysis reports a thread safety violation. The approach is easily applicable, because it is independent of hand-written tests and explicit specifications. The analysis finds 15 concurrency bugs in popular Java libraries, including two previously unknown bugs in the Java standard library.

Abstract: This paper reports on the usage of a broad palette of formal modeling and analysis techniques on a regular industrial-size design of an ultra-modern satellite platform. These efforts were carried out in parallel with the conventional software development of the satellite platform. The model itself is expressed in a formalized dialect of AADL. Its formal nature enables rigorous and automated analysis, for which the recently developed COMPASS toolset was used. The whole effort revealed numerous inconsistencies in the early design documents, and the use of formal analyses provided additional insight on discrete system behavior (comprising nearly 50 million states), on hybrid system behavior involving discrete and continuous variables, and enabled the automated generation of large fault trees (66 nodes) for safety analysis that typically are constructed by hand. The model's size pushed the computational tractability of the algorithms underlying the formal analyses, and revealed bottlenecks for future theoretical research. Additionally, the effort led to newly learned practices from which subsequent formal modeling and analysis efforts shall benefit, especially when they are injected in the conventional software development lifecycle. The case demonstrates the feasibility of fully capturing a system-level design as a single comprehensive formal model and analyze it automatically using a toolset based on (probabilistic) model checkers.

Abstract: Global types are formal specifications that describe communication protocols in terms of their global interactions. We present a new, streamlined language of global types equipped with a trace-based semantics and whose features and restrictions are semantically justified. The multi-party sessions obtained projecting our global types enjoy a liveness property in addition to the traditional progress and are shown to be sound and complete with respect to the set of traces of the originating global type. Our notion of completeness is less demanding than the classical ones, allowing a multi-party session to leave out redundant traces from an underspecified global type. In addition to the technical content, we discuss some limitations of our language of global types and provide an extensive comparison with related specification languages adopted in different communities.

Abstract: Physiological signals, medical images, and biosystems can be used to access the health of a subject and they can support clinicians by improving the diagnosis for treatment purposes. Computer-aided diagnosis (CAD) in healthcare applications can help in automated decision making, visualization and extraction of hidden complex features to aid in the clinical diagnosis. These CAD systems focus on improving the quality of patient care with a minimum of fault due to device failures. In this paper, we argue that a formal and model driven design methodology can lead to systems which meet this requirement. Modeling is not new to CAD, but modeling for systems design is less explored. Therefore, we discuss selected systems design techniques and provide a more concrete design example on computer-aided diagnosis and automated decision making.

Abstract: Mining specifications and using them for bug detection is a promising way to reveal bugs in programs. Existing approaches suffer from two problems. First, dynamic specification miners require input that drives a program to generate common usage patterns. Second, existing approaches report false positives, that is, spurious warnings that mislead developers and reduce the practicability of the approach. We present a novel technique for dynamically mining and checking specifications without relying on existing input to drive a program and without reporting false positives. Our technique leverages automatically generated tests in two ways: Passing tests drive the program during specification mining, and failing test executions are checked against the mined specifications. The output are warnings that show with concrete test cases how the program violates commonly accepted specifications. Our implementation reports no false positives and 54 true positives in ten well-tested Java programs.

Abstract: In this paper we present some of the key issues involved in model transformation specification and testing, discuss and classify some of the existing approaches, and introduce the concept of Tract, a generalization of model transformation contracts. We show how Tracts can be used for model transformation specification and black-box testing, and the kinds of analyses they allow. Some representative examples are used to illustrate this approach.

Abstract: Privacy policies often place restrictions on the purposes for which a governed entity may use personal information. For example, regulations, such as the Health Insurance Portability and Accountability Act (HIPAA), require that hospital employees use medical information for only certain purposes, such as treatment, but not for others, such as gossip. Thus, using formal or automated methods for enforcing privacy policies requires a semantics of purpose restrictions to determine whether an action is for a purpose or not. We provide such a semantics using a formalism based on planning. We model planning using a modified version of Markov Decision Processes (MDPs), which exclude redundant actions for a formal definition of redundant. We argue that an action is for a purpose if and only if the action is part of a plan for optimizing the satisfaction of that purpose under the MDP model. We use this formalization to define when a sequence of actions is only for or not for a purpose. This semantics enables us to create and implement an algorithm for automating auditing, and to describe formally and compare rigorously previous enforcement methods. To validate our semantics, we conduct a survey to compare our semantics to how people commonly understand the word "purpose".

Abstract: We introduce a logical verification methodology for checking behavioral properties of service-oriented computing systems. Service properties are described by means of SocL, a branching-time temporal logic that we have specifically designed for expressing in an effective way distinctive aspects of services, such as, acceptance of a request, provision of a response, correlation among service requests and responses, etc. Our approach allows service properties to be expressed in such a way that they can be independent of service domains and specifications. We show an instantiation of our general methodology that uses the formal language COWS to conveniently specify services and the expressly developed software tool CMC to assist the user in the task of verifying SocL formulas over service specifications. We demonstrate the feasibility and effectiveness of our methodology by means of the specification and analysis of a case study in the automotive domain.

Abstract: In this paper, we present a feature-oriented requirements modelling language (FORML) for modelling the behavioural requirements of a software product line. FORML aims to support feature modularity and precise requirements modelling, and to ease the task of adding new features to a set of existing requirements. In particular, FORML decomposes a product line's requirements into feature modules, and provides language support for specifying tightly-coupled features as model fragments that extend and override existing feature modules. We discuss how decisions in the design of FORML affect the evolvability of requirements models, and explicate the specification of intended interactions among related features. We applied FORML to the specification of two feature sets, automotive and telephony, and we discuss how well the case studies exercised the language and how the requirements models evolved over the course of the case studies.

Abstract: Model Management addresses the problem of managing an evolving collection of models by capturing the relationships between models and providing well-defined operators to manipulate them. In this paper, we describe two such operators for manipulating feature specifications described using hierarchical state machine models: Match, for finding correspondences between models, and Merge, for combining models with respect to known or hypothesized correspondences between them. Our Match operator is heuristic, making use of both static and behavioral properties of the models to improve the accuracy of matching. Our Merge operator preserves the hierarchical structure of the input models, and handles differences in behavior through parameterization. This enables us to automatically construct merges that preserve the semantics of hierarchical state machines. We report on tool support for our Match and Merge operators, and illustrate and evaluate our work by applying these operators to a set of telecommunication features built by AT&T.

Abstract: Software inspection is a static analysis technique that is widely used for defect detection, but which suffers from a lack of rigor. In this paper, we address this problem by taking advantage of formal specification and analysis to support a systematic and rigorous inspection method. The aim of the method is to use inspection to determine whether every functional scenario defined in the specification is implemented correctly by a set of program paths and whether every program path of the program contributes to the implementation of some functional scenario in the specification. The method is comprised of five steps: deriving functional scenarios from the specification, deriving paths from the program, linking scenarios to paths, analyzing paths against the corresponding scenarios, and producing an inspection report, and allows for a systematic and automatic generation of a checklist for inspection. We present an example to show how the method can be used, and describe an experiment to evaluate its performance by comparing it to perspective-based reading (PBR). The result shows that our method may be more effective in detecting function-related defects than PBR but slightly less effective in detecting implementation-related defects. We also describe a prototype tool to demonstrate the supportability of the method, and draw some conclusions about our work.

Abstract: The Web Services Atomic Transactions (WS-AT) specification makes it possible for businesses to engage in standard distributed transaction processing over the Internet using Web Services technology. For such business applications, trustworthy coordination of WS-AT is crucial. In this paper, we explain how to render WS-AT coordination trustworthy by applying Byzantine Fault Tolerance (BFT) techniques. More specifically, we show how to protect the core services described in the WS-AT specification, namely, the Activation service, the Registration service, the Completion service and the Coordinator service, against Byzantine faults. The main contribution of this work is that it exploits the semantics of the WS-AT services to minimize the use of Byzantine Agreement (BA), instead of applying BFT techniques naively, which would be prohibitively expensive. We have incorporated our BFT protocols and mechanisms into an open-source framework that implements the WS-AT specification. The resulting BFT framework for WS-AT is useful for business applications that are based on WS-AT and that require a high degree of dependability, security, and trust.

Abstract: This article presents a formal specification and validation environment to prove safety and liveness properties of parametric -- unbounded -- NoCs architectures described at a high-level of abstraction. The environment improves the GeNoC approach with two new theorems, proving evacuation and starvation freedom. The application of the validation methodology is illustrated on a HERMES NoC with adaptive west-first routing and wormhole switching. This case study illustrates the strong compositional aspect of the GeNoC environment. The complete specification of this HERMES instance, together with the proof that the specification is deadlock-free, starvation free, and all messages eventually leave the network at their correct destination, could be achieved in about a week. Approximately 86p of this proof is automatically derived from the GeNoC model.

Abstract: Adopting publicly accessible platforms such as cloud computing model to host IT systems has become a leading trend. Although this helps to minimize cost and increase availability and reachability of applications, it has serious implications on applications’ security. Hackers can easily exploit vulnerabilities in such publically accessible services. In addition to, 75% of the total reported application vulnerabilities are web application specific. Identifying such known vulnerabilities as well as newly discovered vulnerabilities is a key challenging security requirement. However, existing vulnerability analysis tools cover no more than 47% of the known vulnerabilities. We introduce a new solution that supports automated vulnerability analysis using formalized vulnerability signatures. Instead of depending on formal methods to locate vulnerability instances where analyzers have to be developed to locate specific vulnerabilities, our approach incorporates a formal vulnerability signature described using OCL. Using this formal signature, we perform program analysis of the target system to locate signature matches (i.e. signs of possible vulnerabilities). A newly–discovered vulnerability can be easily identified in a target program provided that a formal signature for it exists. We have developed a prototype static vulnerability analysis tool based on our formalized vulnerability signatures specification approach. We have validated our approach in capturing signatures of the OWSAP Top10 vulnerabilities and applied these signatures in analyzing a set of seven benchmark applications.

Abstract: The planning, testing and integration of modern automation systems is becoming more and more a bottleneck in the construction of new production facilities. This is due to the facts that plants grow in complexity and that modern automation systems are highly distributed and comprise complex components.

Abstract: Testing model transformations poses several challenges, among them the automatic generation of appropriate input test models and the specification of oracle functions. Most approaches to the generation of input models ensure a certain level of source meta-model coverage, whereas the oracle functions are frequently defined using query or graph languages. Both tasks are usually performed independently regardless their common purpose, and sometimes there is a gap between the properties exhibited by the generated input models and those demanded to the transformations (as given by the oracles). Recently, we proposed a formal specification language for the declarative formulation of transformation properties (invariants, pre- and postconditions) from which we generated partial oracle functions that facilitate testing of the transformations. Here we extend the usage of our specification language for the automated generation of input test models by constraint solving. The testing process becomes more intentional because the generated models ensure a certain coverage of the interesting properties of the transformation. Moreover, we use the same specification to consistently derive both the input test models and the oracle functions.

Abstract: Today's enterprises demand a high degree of compliance of business processes to meet laws and regulations, such as Sarbanes-Oxley and Basel II. Compliance should be enforced during all phases of business process lifecycle, from the phases of analysis and design to deployment, monitoring and evaluation. In this paper, a taxonomy of compliance constraints for business processes is introduced based on the notion of compliance patterns. Patterns facilitate the formal specification of compliance constraints that enable their verification and analysis against business process models. This taxonomy serves as the backbone of the root-cause analysis, which is conducted to reason about and eventually to resolve design-time compliance violations, by providing appropriate guidelines as remedies to alleviate design-time compliance deviations. We have developed and integrated a set of tools to observe and evaluate the applicability of our approach, and experiment with it in case studies.

Abstract: An important objective in materials design is to develop a systematic methodology for replacing unavailable or expensive material building blocks by simpler and abundant ones, while maintaining or improving the functionality of the material. The mathematical field of category theory provides a formal specification language which lies at the heart of such a methodology. In this paper, we apply material ologs, category-theoretic descriptions of hierarchical materials, to rigorously define a process by which material building blocks can be replaced by others while maintaining large-scale properties, to the extent possible. We demonstrate the implementation of this approach by using algebraic techniques to predict concrete conditions needed for building block replacement. As an example, we specify structure–function relationships in two systems: a laminated composite and a structure–function analogue, a fruit salad. In both systems we illustrate how ologs provide us with a mathematical tool that allows us to replace one building block with others to achieve approximately the same functionality, and how to use them to model and design seemingly distinct physical systems with a consistent mathematical framework.

Abstract: Electronic System Level (ESL) design of embedded systems proposes raising the abstraction level of the design entry to cope with the increasing complexity of such systems. To exploit the benefits of ESL, design languages should allow specification of models which are a) heterogeneous, to describe different aspects of systems; b) formally defined, for application of analysis and synthesis methods; c) executable, to enable early detection of specification; and d) parallel, to exploit the multi- and many-core platforms for simulation and implementation. We present a modeling library on top of SystemC, targeting heterogeneous embedded system design, based on four models of computation. The library has a formal basis where all elements are well defined and lead in construction of analyzable models. The semantics of communication and computation are implemented by the library, which allows the designer to focus on specifying the pure functional aspects. A key advantage is that the formalism is used to export the structure and behavior of the models via introspection as an abstract representation for further analysis and synthesis.